Privacy Statement

INTRODUCTION

Abellio Corporate Travel (Abellio Transport Holdings Ltd) and Event Connect (Abellio London Ltd & Abellio West London Ltd) is committed to protecting and respecting your privacy when you use our services.

This Privacy Policy explains:

What personal data we collect from you when you use our website, apps, visit our depots, contact us, use our services or Wi-Fi

How we will collect and use that information;

How we keep information secure; and

How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.

CONTENTS

Information we may collect from you

How we use your information

Sharing or disclosure of your information

Types of information we collect

CCTV

Website visits and purchases

Customer Relations database

Registering as an Event Connect bus operator

Where we store your personal information

Information Security

Your rights

For the purposes of the Data Protection Act 2018, the data controller is:

More information about the General Data Protection Regulation and all related and subordinate legislation as amended or re-enacted from time to time can be found on the Information Commissioners website https://ico.org.uk/. The Information Commissioner is our regulator for data protection matters.

2. HOW WE USE YOUR INFORMATION

We will only use the information you provide as permitted by the Data Protection Law (DPL). Our reason(s) for using your data will vary depending on: how you contact us, use our services, the consent you have given, our legitimate interests, or legal obligations we may have. Reasons for the use of your data include:

To provide you with the service - things like carrying out our obligations arising from any contracts - selling tickets, making and taking payments. We mostly rely on the legal ground of contractual performance to process your data, but sometimes the data is also used for our legitimate interests of customer service, health and safety, improving our services and other legal obligations, like providing information to our regulators

To provide you with details of our services, information about travelling and customer service - this is based on our legitimate interests, to run bus and associated services. Sometimes it is part of our contract or our other legal obligations

To run our services and improve them - we believe in investing in our services, not just to benefit passengers but also the wider community, environment, and economy. There are lots of activities we do to achieve this, some are administrative, and we also do things like monitoring passenger numbers on our routes, improving technology to help plan journeys - make money, run our services safely and be a good employer - we call these our legitimate interests. Some of these are also covered in our legal obligations, not just to customers, but under our contracts with Transport for London, Local Authority Contracts, the Department for Transport or Regulators. Some data is also shared to run interoperable services – in the Rail Industry this is overseen by the Rail Delivery Group - this is how you are able to use a ticket on a train and tube for example or use a rail Discount card.

For your safety and security.

For fraud and crime prevention.

To enhance your experience of our website, as described in our cookie policy

We are part of a Group of Companies and share administrative services and support. Your data may, therefore, be shared with other Group companies where appropriate. We are also required to pass certain customer data to successor franchisees, Secretary of State or Department for Transport.

Our legitimate interests

We aim to run our business and Group businesses in a safe and socially and environmentally responsible manner, efficiently, to provide sustainable and high quality, locally focused passenger transport services. We also aim to improve and expand our services, be a leading employer in the transport sector and invest in and develop our staff. We operate with financial discipline to provide shareholder value, provide and improve customer services.

3. SHARING OR DISCLOSURE OF YOUR INFORMATION

We will only share or disclose your information as set out in this Policy or in accordance with DPL and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure.

Due to the nature of the services we provide, we process a large range of data, in a number of ways, across a number of solutions. Accordingly, it was deemed impractical to set out the details of all the third parties that we may share your data with below.

We may share or disclose information for the following reasons:

We use data processors to provide or assist with some of our services, for example, the processing of ticket purchases. Where we do so, they must agree to strict contractual terms and to keep your data secure;

Where we share data across our Group Companies, this is only in accordance with a written data sharing agreement;

To respond to your complaints or administer requests you have made, either to us or another regulatory body such as Transport for London; Department for Transport; Passenger Focus, London Travelwatch, the Rail Complaints Ombudsman or other Train Operating Companies (TOCs);

To process payment card transactions;

To comply with the police or other law enforcement agencies for the purposes of crime prevention or detection, these are dealt with on a case-by-case basis, under a specific Information Sharing Protocol, to ensure that any disclosure is lawful;

To comply with other legal obligations, for example, relating to crime and taxation purposes or regulatory activity;

To protect our legitimate business interests, as outlined above;

If you have agreed (via freely given consent) to receive information for competition, promotion, survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the terms and conditions of the purpose; and

Where you have consented, to share with other members of the Abellio Group UK (“Abellio”), of which we are a member, where Abellio has any services, promotions and offers which we feel may interest you. Details of other members of Abellio can be found here.

4. TYPES OF INFORMATION WE COLLECT

CCTV

CAMERA SYSTEMS WE OPERATE

Our CCTV is used to capture, record and monitor images of what takes place at our depots and on our buses, in real time.

Depending on the type of camera, images are recorded on videotape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances, they can be operated remotely by controllers.

Why we operate CCTV cameras

We operate CCTV for the following purposes:

Health and safety of employees, passengers and other members of the public; and

Prevention and detection of crime and anti-social behaviour.

Camera locations

We operate cameras at our depots and on all the buses that we run.

Length of time CCTV footage is kept

CCTV footage at offices is generally held for a maximum of 31 days; from the time of recording, unless the footage is used for investigation of an incident or accident in which case the footage will be retained for 3.5 years or until 3.5 years past the 18th birthday of any children known to be involved in the incident.

How to access your CCTV personal data

You can request copies of images or footage of yourself by making a Subject Access Request.

Disclosing CCTV/personal data to the police

At our discretion, we may disclose CCTV/personal data in response to valid requests from the police and other statutory law enforcement agencies.

Before we authorise any disclosure, the police have to demonstrate that the CCTV/personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.

Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the DPL.

Sharing CCTV footage with other third parties

We may share CCTV images with Transport for London to support investigations into major incidents involving our buses.

We may also disclose personal data to third parties, if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action. DPL allows us to do this where the request is supported by:

evidence of the relevant legislation

a court order

satisfactory evidence and assurances of the legitimate interest.

Legitimate interest would include requests such as defending or making a legal claim, such as to insurers following a vehicle collision. When we are not required to provide CCTV, we will take into account the circumstances and any potential harm to individuals; we may also charge a fee and seek indemnity for any use beyond which it is requested.

External guidelines and best practice

Abellio Corporate Travel and Abellio Event Connect operate its CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office (ICO) in 2017. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relate to individuals (for example vehicle registration marks).

WEBSITE VISITS AND PURCHASES

This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information regarding:

Collection of visitor information;

Hyperlinks;

Cookies;

Session Cookies;

Other storage technologies.

Collection of visitor information

We will only use the information that we collect about you lawfully, in accordance with the DPL.

The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by Abellio Corporate Travel and Event Connect website for operational purposes, for example, booking coach parking or processing payments.

Abellio Corporate Travel and Abellio Event Connect gather general information about users, for example, what services users access the most and which areas of the Abellio Corporate Travel and Event Connect sites are most frequently visited. Such data is used in the aggregate to help us to understand how the Abellio Corporate Travel and Event Connect sites are used. We gather this information so that we can continue to improve and develop our services to the benefit of our users. We may make this aggregated information available to users of the Abellio Corporate Travel and Event Connect sites and to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.

When you register with Abellio Corporate Travel and Event Connect for online ticket purchasing, or other services, we ask for personal information such as your name, contact details, and other details. Once you have done this and accept our Terms & Conditions, you are not anonymous to us. We may contact you regarding site changes or changes to the Abellio Corporate Travel and Event Connect products or services that you use.

If you buy a ticket online with Abellio Corporate Travel and Event Connect, we will record your personal details and send you a confirmation email. Your personal data will be used principally to communicate with you with reference to your request.

We also use your personal information to:

Exercise Our rights and to perform Our obligations arising from any contracts entered into between either you and Us or your employer and Us and to provide you with information essential to Our services;

To provide you with after-care support, including advising you of prospective renewal dates for ongoing travel arrangements;

To provide you with information that you request from Us;

Notify you of changes or updates to Our service;

To carry out credit checks and for fraud prevention purposes;

Allow you to participate in interactive features of Our service when you choose to do so;

Improve our services and website to ensure that content is presented in the most effective manner for you and for your device.

Hyperlinks

We may provide hyperlinks from the site to third-party websites. No liability is accepted for the contents of any site operated by a third party which may be accessed via links from the site. These links are provided for your convenience only and do not imply that Abellio Corporate Travel and Abellio Event Connect approves or recommends the content of such sites. We encourage our users to be aware when they leave our site to read the privacy statements of each and every website that collects personal data. This Privacy Policy applies solely to information collected by Abellio Corporate Travel and Abellio Event Connect.

Cookies

Our website uses cookies to help us to provide you with a good experience when you browse our website and also allows us to improve our website.

A "cookie" is a small text file that is placed on your equipment (computer, phone, tablet etc.) when you visit a website

There are several types of cookies:

Functional cookies

The functional or session cookies are used to provide services or to store your preferred settings. For example, for:

remembering the products, you purchase during online shopping;

memorising and passing on the information that you enter during the log-in process or that you leave behind on the various web pages during the ordering process, so that you do not have to enter the same data every time;

saving your preferences;

detecting abuse of our websites.

Analytical cookies

These cookies are used to analyse your visit to our websites. For example, we analyse the number of visitors visiting our websites, the duration of the visits, the order of the pages visited and whether the pages of a website need to be adjusted. With the help of the collected information, we can organise our websites to be more user-friendly. Furthermore, these cookies are used to solve possible technical problems on the websites.

Other techniques

In addition to cookies, Abellio Corporate Travel and Abellio Event Connect websites also use Javascript and web beacons. By using JavaScript in your browser, we can make our sites interactive and develop applications for the web. A web beacon is a small graphic image on our sites. By means of this image, we can, for example, determine how many visitors saw the page at which times. These techniques can also be used for marketing and tracking purposes.

An overview of the cookies & similar techniques that we use can be found here

Access to our database containing personal information on registered users on Abellio Corporate Travel and Abellio Event Connect site is restricted. In order to increase security, we ask you to input a password when you register as a user of the site. Please keep this password secret. In addition, we encrypt your financial information using SSL (Secure Sockets Layer) technology so that no one else can access your credit card details as they travel through the Internet. SSL is certified by Verisign and is recognised as a secure way to pay on-line. As you may be aware, no data transmission over the Internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect the personal information you provide to us, we cannot guarantee the security of your information and the use of our facilities (e.g. e-mail) is at your own risk. If you have any questions about paying for your ticket through the Site, please contact Customer Relations.

TICKET PURCHASES

PERSONAL DETAILS WE HOLD

When you register to buy a season ticket or travel ticket from our website, we keep a record of this on a database. We keep the following details:

Name and email address;

Phone number, address and date of birth if you provide them;

Your interests and travel use information if you provide them;

The method of payment used, but not any payment card details.

The origin, destination and start and end date of season tickets you have purchased, along with any duplicate, replacement or refund of these; and

HOW WE USE YOUR PERSONAL DATA

We use this information for Contractual obligations, Customer Relations and administration, customer research and fraud prevention.

We will only send you information about offers and promotions if you chose to receive it and you can change your marketing preferences at any time. We will not pass your personal information to any other organisation outside of our Group of Companies (and Successor franchise or Secretary of State for Transport) for marketing purposes without your prior consent.

WHY WE RETAIN YOUR INFORMATION

We retain your information to enable you to purchase tickets.

LENGTH OF TIME RECORDS ARE KEPT

Records are kept until you tell us you no longer wish to be registered for ticket purchases or you have not purchased a ticket for 2 years for Event Connect and 7 years for Abellio Corporate Travel

Sharing data with third parties

WE MAY SHARE YOUR PERSONAL INFORMATION WITH:

Your employer (where you are using Our services as an employee) so as to provide services to you in accordance with Our terms of service with your employer;

Travel service providers, such as Trainline.com Limited, where necessary to provide you with the services either you or your employer request;

Other suppliers who perform functions on Our behalf to support Our services;

Anti-fraud organisations and credit reference agencies;

Other members of the Abellio Group;

In the event that We sell any business or assets, in which case We may disclose your personal information to the prospective buyer of such business or assets;

If We are under a duty to disclose or share your personal information in order to comply with any legal obligation; and

Our professional advisers and service providers such as debt collection agencies.

WHY WE RETAIN YOUR INFORMATION

We retain your information for permitted linked purposes like legal obligation. If the information is used for two purposes, we will retain it until the purpose with the latest period expires, but we will stop using it for the purpose with a shorter period once that period expires.

We may share your correspondence with:

British Transport Police under a data sharing agreement to prevent and detect crime.

The [Penalty Services Limited]

If you appeal a Penalty Notice issued to you.

Passenger Focus if you have asked them to act on your behalf under a complaint handling procedure. Requests from ombudsmen are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.

We may also share information with other TOCs for fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.

We may also share your information with the operator of your service to provide the service we offer, for example, requesting they provide a reissued ticket to you or your details to enable you to claim delay repay or other operator specific benefits

REGISTERING AS EVENT CONNECT BUS OPERATOR

PERSONAL DETAILS WE HOLD

When you register ON our website, we keep a record of this on a database. We keep the following details:

Company name, Contact name and email address;

Contact phone number;

HOW WE USE YOUR PERSONAL DATA

We use this information to help us organise rail replacement bus services and administration.

We will not pass your personal information to any other organisation for marketing purposes.

WHY WE RETAIN YOUR INFORMATION

We retain your information to enable us to offer you opportunities to provide rail replacement and event connect bus services.

LENGTH OF TIME RECORDS ARE KEPT

Records are kept until you tell us you no longer wish to be registered as a rail replacement operator and event connect operator, or you have not provided any services for 2 years.

SHARING DATA WITH THIRD PARTIES

We will not pass your personal information to any other organisation for any purposes other than processing your payment.

ACCIDENTS AND INCIDENTS

Personal details we hold

If you are involved in an accident or incident on or with one of our vehicles, or if you are a witness to an accident or incident, we will collect some or all the following details:

Name;

email address;

Phone number;

Address;

Date of birth;

Vehicle details;

Details of any injuries;

Details of damage to property and/or vehicles.

HOW WE USE YOUR PERSONAL DATA

We use this information for the investigation of accidents and incidents, handling claims and repairs to vehicles, preventing fraud and dealing with any legal actions arising from the incident or accident.

We will not pass your personal information to any other organisation for marketing purposes.

WHY WE RETAIN YOUR INFORMATION

We retain your information to enable us to resolve issues and settle claims, repair vehicles and comply with our legal obligations to support police and court actions.

CUSTOMER RELATIONS DATABASE

We collect your information and comments when you contact us by letter, email, web form, phone or social media.

PERSONAL DETAILS WE HOLD

We may hold your name, address, date of birth, email address, phone number, ticket details, photocard image, our correspondence with you, the compensation/refund claims you have made, and payment made by us, proof of journey or other supporting information you may provide.

To ensure that we have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls. However you will always be told when this happens.

HOW WE USE YOUR PERSONAL DATA

Fpe

This information is used for administration of correspondence or processing claims you have made, such as delay repay as well as for fraud prevention purposes. We also use it to respond to complaints.

WHY WE RETAIN YOUR INFORMATION

We retain your information for permitted linked purposes like legal obligation. If the information is used for two purposes, we will retain it until the purpose with the latest period expires, but we will stop using it for the purpose with a shorter period once that period expires. Some information retained will enable us to investigate and resolve complaints, respond to you in dealing with your complaint or comment and to help us understand where our services may need improvement.

LENGTH OF TIME RECORDS ARE KEPT

We retain your information to 7 years.

SHARING DATA WITH THIRD PARTIES

We are required to provide details of your complaint to another operator if it relates to their services instead of ours. We may share your correspondence with Passenger Focus or London Travel Watch or the Ombudsman, if you have asked them to act on your behalf under a complaint handling procedure.

We may also share information with other operators for the purpose of fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.

CHILDREN’S DATA

We do not routinely process children’s data, however in the rare instances that we do we may be required to gain consent from a parent or guardian to process the child’s data.

Where we chose to rely on consent as the legal basis for processing children’s personal data, consent may be required from a person holding ‘parental responsibility’.

The children’s consent must be freely given, specific, informed and unambiguous.

5. WHERE WE STORE YOUR PERSONAL INFORMATION

The information that we collect from you will only be stored in the European Economic Area (“EEA”) or, where it is necessary to disclose it to our processors located outside the EEA, other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place. Please contact the DPO / DPM if you wish to find out more about the safeguards.

6. INFORMATION SECURITY

We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.

7. YOUR RIGHTS

Unless stated otherwise we will aim to satisfy your instruction or inform you as to why we are unable to, without undue delay and within 30 days. If we anticipate that we will not meet with this timeframe, we will let you know within 30 days and explain what the problem is.

OBJECT TO DIRECT MARKETING

To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. We will usually inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:

indicate this by NOT ticking the box to be sent marketing emails (or offers);

if you have an account with us, by logging in and changing your contact preferences;

click the unsubscribe link on direct marketing emails; or

contact us.

ASK FOR A COPY OF YOUR PERSONAL DATA

You are entitled to request a copy of the personal information we hold about you.

We may need to ask for some further information, such as checking who you are. You can download the form here and send it to us, which will help us deal with your request more efficiently.

Please let us know in what format you wish to receive your information.

Sometimes we may hold information that we don’t have to provide, for example, it would prejudice a police investigation or if the disclosure would cause harm to another person whose personal data is inseparable from your data.

In most cases, we provide a copy of your data to you for free. We have set out some information about when it might not be free or provided below.

RECTIFICATION / RESTRICTION

If you believe the information, we hold about you is inaccurate or incomplete, you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification, objection or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or disagree with taking.

DELETION

This is also known as the “Right to be forgotten”, you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing. We will also take reasonable steps to notify third parties of your instruction and request that they act upon it, in a similar manner.

WITHDRAWAL OF CONSENT

If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can withdraw consent by contacting us at [email protected] and [email protected]

We will act upon such instruction as soon as possible.

PORTABILITY

Where you have provided us with personal data and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.

HOW WE DEAL WITH RIGHTS REQUESTS

We are not able to charge you a fee for dealing with rights requests unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case so that you can make a decision about what you wanted to do next.

There are various limitations and exemptions in relation to the exercise of rights in DPL - for example, if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.

COMPLAINTS

The DPO role has been established in a manner to remain independent of business decisions. If you wish to lodge a complaint against:

the business, please contact our DPO; or

the DPO, please contact the ICO.

We also have a complaints policy. If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please us know. Our DPM is the first point of contact for dealing with Rights Requests and complaints, and they are assisted by Customer Relations. If you are not satisfied with the way in which they have handled your complaint or rights request, then you can contact the Group DPO:

We may revise this Privacy Policy from time to time. The most current version of this policy will govern the use of your information and will always be at www.abellio.co.uk/privacy. By continuing to access or use the Service after those changes become effective, you agree to be bound by the revised Privacy Policy.